Please check my log and tell if there is any problems?

[Jermu]

Okay my computer has been a s**t to me for a time now so i thought if someone would help me some? Here`s my log :

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Jesse\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://haku.soneraplaza.fi/haku/queryie5.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saunalahti.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kiuruvedenop.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8000;https=127.0.0.1:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - (no file)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] schvost.exe
O4 - HKLM\..\RunOnce: [ATIPRB] C:\ATI-CPanel\atiprbxx.exe /g
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O12 - Plugin for .r: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {686E79DA-CF44-4026-8320-B5CE8E95CDC9} - C:\Documents and Settings\Anu\Local Settings\Application Data\microsoft\internet explorer\V0.15.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: Gear Security Service -turvapalvelu (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod-palvelu (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


So what should I fix?

[tetonbob]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

You appear to have elements of multiple AV (Avast and F-Secure) and firewall products (Outpost and Sygate). This can cause conflict. Choose one of each to keep, and at the very least disable one of each, if not completely uninstall.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
  *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  
• Spybot Search & Destroy
• CWShredder

Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - (no file)
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] schvost.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Locate the following Files/Folders via Start>Search and delete them if they exist. In Windows XP, the search engine feature is a little different. When you click on 'All files and folders' on the left pane of the Search Window, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

windir32.exe
schvost.exe<<<be sure of this spelling...it closely resembles a legit windows file

Restart in normal mode now.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Choose Save, NOT run, and save to your desktop
• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.




Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Restart and run a new HijackThis scan. Save the log file and post it here. Be sure to include the entire header of the log, as it gives us information critical to our review.

Please return with results from:

Ewido
Antispyware.log
Panda
HJT

[Jermu]

I`ll try those so we`ll see if those work. Thanks very alot!

[Jermu]

Okay, I did everything as told and here are the results:

Ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:09:46, 1.12.2005
+ Report-Checksum: 3C9C0AA

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{5596A501-9A62-4964-994A-1A50B5B2F33F}\TypeLib\\ -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{55A6D014-7ED9-4D5F-9667-67153C1E8DCB}\TypeLib\\ -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{572AC135-B81F-4578-85ED-2B263BDAC66C}\TypeLib\\ -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D81C8764-576C-4901-ACCB-3F49122DB1D3}\TypeLib\\ -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mm20.ocx\\.Owner -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mm20.ocx\\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/roing17.ocx\\.Owner -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/roing17.ocx\\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe.tlb\\.Owner -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe.tlb\\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKU\S-1-5-21-842925246-2049760794-725345543-1006\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-842925246-2049760794-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
:mozilla.10:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adocean : Cleaned with backup
:mozilla.24:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adocean : Cleaned with backup
:mozilla.25:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.26:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.38:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.39:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.40:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.41:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.42:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.47:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.48:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.50:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.51:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.55:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Estat : Cleaned with backup
:mozilla.101:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.103:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.111:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.112:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.113:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.114:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.115:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.119:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.121:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.122:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.123:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.124:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.125:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.126:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.127:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.128:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.129:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.130:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.131:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.132:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.135:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.136:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.153:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.154:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.158:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.159:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.160:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.161:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.162:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.163:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.164:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.170:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.171:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.172:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.174:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
:mozilla.196:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Itrack : Cleaned with backup
:mozilla.208:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.209:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.254:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.292:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.293:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
:mozilla.294:C:\Documents and Settings\elmeri\Application Data\Mozilla\Firefox\Profiles\bzdzaumg.Jesse\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINDOWS\casicon.0xe/icon.exe -> Trojan.VB.ot : Cleaned with backup
C:\WINDOWS\prelimhanse.exe -> Spyware.WebHancer : Cleaned with backup
L:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs -> Trojan.Qhost.ew : Cleaned with backup


::Report End


Panda log:

Incident Status Location

Adware:adware/clickalchemy Not desinfected C:\WINDOWS\alchem.ini
Adware:adware/twain-tech Not desinfected C:\WINDOWS\smdat32m.sys
Spyware:spyware/adclicker Not desinfected C:\WINDOWS\usta32.ini
Adware:adware/maxifiles Not desinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/p2pnetworking Not desinfected Windows Registry
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-2cb7cc7c-17694dc2.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-2cb7cc7f-45ce33a1.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-31f06070-7246cbb6.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-1551efd4.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-23db0402.zip[InstallerApplet.class]
Adware:Adware/Maxifiles Not desinfected C:\Program Files\Common Files\InetGet\mc-58-12-0000080.exe
Adware:Adware/Maxifiles Not desinfected C:\Program Files\Common Files\Windows\mc-58-12-0000080.exe



Antispyware log:
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\P2P Networking\Clients'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found '' in 'SOFTWARE\ssprint'
Found 'Location' in 'SOFTWARE\Magnet'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found '' in 'Software\AppConf'
Found 'confset' in 'Software\AppConf'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found 'iebar' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Program Files\Common Files\SearchUpgrader'
Found '' in 'C:\Program Files\whInstall'
Found 'alchem.inf' in 'C:\WINDOWS\inf'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\Common Files\SearchUpgrader' in shortcut areas.
Checking for 'C:\Program Files\Common Files\SearchUpgrader' in startup areas.
Cleaning 'C:\Program Files\Common Files\SearchUpgrader'
Checking for 'C:\Program Files\Common Files\SearchUpgrader\client.cfg' in shortcut areas.
Checking for 'C:\Program Files\Common Files\SearchUpgrader\client.cfg' in startup areas.
Cleaning 'C:\Program Files\Common Files\SearchUpgrader\client.cfg'
Checking for 'C:\Program Files\Common Files\SearchUpgrader\system.cfg' in shortcut areas.
Checking for 'C:\Program Files\Common Files\SearchUpgrader\system.cfg' in startup areas.
Cleaning 'C:\Program Files\Common Files\SearchUpgrader\system.cfg'
Checking for 'C:\Program Files\whInstall' in shortcut areas.
Checking for 'C:\Program Files\whInstall' in startup areas.
Cleaning 'C:\Program Files\whInstall'
Checking for 'C:\WINDOWS\inf\alchem.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\alchem.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\alchem.inf'
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning



And last the HijackThis! log:
Logfile of HijackThis v1.99.1
Scan saved at 19:13:39, on 1.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Jesse\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://haku.soneraplaza.fi/haku/queryie5.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saunalahti.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kiuruvedenop.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8000;https=127.0.0.1:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunOnce: [ATIPRB] C:\ATI-CPanel\atiprbxx.exe /g
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O12 - Plugin for .r: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: Gear Security Service -turvapalvelu (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod-palvelu (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


So there you have it. There were so much spyware and other stuff to clean!
Is everything now in control?

[tetonbob]

In control, but not done yet.....

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download this ISTbar Removal Tool and run it.

------------------------------------------------

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
------------------------------------------------

Delete the following Files/Folders if they exist:

C:\WINDOWS\alchem.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\usta32.ini
C:\PROGRAM FILES\COMMON FILES\InetGet
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.j ar-2cb7cc7c-17694dc2.zip
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.j ar-2cb7cc7f-45ce33a1.zip
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.j ar-31f06070-7246cbb6.zip
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.j ar-4514e5ea-1551efd4.zip
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.j ar-4514e5ea-23db0402.zip

If any resist deletion, boot to safe mode and delete them from there. If you cannot delete any, please let me know.
------------------------------------------------

This next scan is to get a "second opinion", to ensure that all has been cleaned from your system.

Perform an online scan with Internet Explorer with

Kaspersky Online Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Restart and run a new HijackThis scan. Save the log file and post it here.

We will address protection tools once you are clean.

[Jermu]

Sorry it took so long to do those scannings and etc. Here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 07, 2005 07:37:40
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/12/2005
Kaspersky Anti-Virus database records: 153653
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 97836
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 4
Duration of the scan process: 12373 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip/optimize.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer9.zip/optimize.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer9.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-2cb7cc7f-45ce33a1.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-2cb7cc7f-45ce33a1.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-31f06070-7246cbb6.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-31f06070-7246cbb6.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-1551efd4.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-1551efd4.zip Infected: Trojan-Downloader.Java.OpenStream.w

Scan process completed.



And HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 21:33:36, on 7.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Jesse\HijackThis!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saunalahti.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8000;https=127.0.0.1:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\DOCUME~1\Anu\TYPYT~1\Kuvat\Anu\apple\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunOnce: [ATIPRB] C:\ATI-CPanel\atiprbxx.exe /g
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O12 - Plugin for .r: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

almost done?

[tetonbob]

There are a few infected files still being identified by Kaspersky.

Delete these files.

C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-2cb7cc7f-45ce33a1.zip
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-31f06070-7246cbb6.zip
C:\Documents and Settings\elmeri\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-1551efd4.zip

The others are in SpyBot Recovery folder.
When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files.

Other than that, your logs are clean.

Well done. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG
  
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[Jermu]

Lastly I wanted to ask, does any of those programs make my p2p programs to stop working? And that where should I write at techsupport about my malfunctioning internet? For example, if I have a Dc++ or Bitcomet or any other p2p program running, I cant get to any other internet site.

[tetonbob]

Nothing we've done should have affected that. I'll try to have another analyst pop in and advise.

One thing I do notice is that there are still multiple AV (Avast and F-Secure) and firewall (Outpost and Sygate) products as indicated in my first post, and this may cause you some conflicts.

[MicroBell]

If your connection works fine when NO P2P is running...then your firewall or the program is blocking access to the net. Some P2P programs also have a setting to block outgoing access so that the P2P program get's the full control when downloading.

I would ask this question in the network section...or at one of the forums of the P2P software that your having trouble with. If you shut down the firewall to test...it should tell you if it's a firewall issue...or the program.

[MicroBell]

Jermu,

I have one more suggestion. Please contact your ISP and ask them if they are limiting your access to P2P. I came accross a interesting statement wereby ISP carries Shaw and Rogers are blocking P2P traffic on their networks without making their customers aware of this limitation.

http://www.dslreports.com/shownews/70195

[Jermu]

Well I have removed f-secure and outpost by uninstall so can you list what products I should remove? And thanks for the info about my p2p programs.

[MicroBell]

Ummm..I said shut them down...as in disable..NOT remove. They are both needed. If your still being denied access...your next step would be contact the ISP..as they may block it on their end. I would also suggest that you remove one of your P2P programs and reinstall it..to make sure it's not a setting issue in the program.

If your using Windows XP's firewall...disable it also and test to see if it's blocking access. It may be the ports required for access are closed. Someone in the network section may have more knowledge then myself.

[Jermu]

It was that tetonbob told that I have pieces of f-secure and outpost in my system, they were uninstalled a long time ago so no worries . But though I havent got the p2p problem solved so I will someday contact to my ISP and check what you said so thanks.

[tetonbob]

Right, so as long as you still have AVG and Sygate, you're protected.

To complete MB's checks, you may want to disable each of those (one at a time) to see if they are the cause of the P2P blockage, as well as check the P2P program settings, and with your ISP.